Vulnerability Management

Impact of Linux bug ‘grinch’ spans servers, workstations, Android devices and more

A security firm has disclosed details on a grievous bug, called “grinch,” which impacts all Linux platforms potentially allowing an attacker administrative access to systems where they can go on to remotely install malicious applications, steal data, or perform other malicious acts of their choosing.

Disclosed by Alert Logic the week before Christmas, grinch has apparently earned its name, as approximately 65 percent of all web servers on the internet use a Unix/Linux based operating system, making them vulnerable to attack, the firm said in a Tuesday blog post citing a 2013 W3Tech report.

Additionally, servers are vulnerable to exploitation, along with corporate and personal computers running Linux, and Android devices (which leverage an mobile operating system based on the Linux kernel), Alert Logic revealed in email correspondence with SCMagazine.com. Cloud storage services, like Amazon Web Services (AWS), also run on Linux, the firm added.

In its blog post, Alert Logic said that “in the thick of the holiday season, we are analyzing which operating systems support the needs of e-commerce and brick and mortar retail shops.” In doing so, researchers “found that Linux is dominating when it comes to e-commerce deployment.”

Back in August, Alert Logic senior security researcher Tyler Borland stumbled upon the serious flaw while the research team analyzed the Linux platform. Grinch technically resides in the new Linux authorization system that allows privilege escalation through Wheel, the firm revealed in its blog.

“Wheel is a special user group that controls access to the su command, which allows a user to masquerade as another user,” the post said. “When a Linux system is built, the default user is assigned to the wheel group that allows for administrative task execution within the system. For example, if the file is owned by user XYZ and group wheel, it will run as XYZ:wheel, no matter who executes the file.”

In an interview with SCMagazine.com, Stephen Coty, director of threat research at Alert Logic, said that, simply put, “anything that is set up by the Linux default settings would be affected” by grinch.

“This vulnerability could allow the attacker to install any type of software they want to, meaning remote access trojans (RATs), or software where they 100 percent own that box, or software where they can exfiltrate 100 percent of the information off a [targeted] server,” Coty added later. “They could install anything, so the possibilities are really endless at that point.”

Currently, there is no patch for the bug, but Alert Logic reported the issue through RedHat and Bugzilla four months ago when it discovered the vulnerability, Coty said.

To combat the security issue, enterprises can “rewrite some administrative access” and employ security logging software to detect suspicious activity, such as administrative privileges being rewritten – “a monitoring approach, not a fix,” the firm said in initial email correspondence with SCMagazine.com.

“The majority of people using Linux use it for lower costs….and they just go with the default settings,” Coty noted in his interview. “Unless you customize your authentication settings, like your user groups and admin groups, you would be absolutely susceptible,” he explained.  

In its blog post, Alert Logic demonstrates how exploitation of grinch can be achieved using an open source set of packet management tools called PackageKit Console Client (PKCon).

In a Tuesday interview with SCMagazine.com, Jay Kaplan, CEO at Synack, a firm providing security-as-a-service solutions in part by crowdsourcing vulnerability detection efforts of researchers, said that the “sheer number of people that contribute to open source projects [such as Linux] lends itself to them having security issues that may go undiscovered for years.”

He added that vulnerability management is the key to reducing an enterprise's risk profile, as the trend of major vulnerabilities, like Heartbleed or Shellshock, being disclosed is "never going to go away," he said.

“When these problems come out, if enterprises don't have good visibility into the portfolio or their services and applications running, it makes it hard to respond to these types of issues,” Kaplan added.

UPDATE: Security experts, including those at SANS and Red Hat, have responded to the Alert Logic findings say they don't necessarily classify the issue as a "vulnerability."

SANS, for instance, said in a blog post that grinch "isn't so much a vulnerability, as more a common overly permissive configuration of many Linux systems. It could easily be leveraged to escalate privileges beyond the intent of the Polkit configuration," the post said.

On Thursday, Red Hat published a short article on whether the grinch issue affects Red Hat Enterprise Linux. The organization said that it "does not consider this to be a security issue or even a bug. This the expected behavior of the PackageKit console client."

Red Hat also explained that "this behavior is controlled in Red Hat Enterprise Linux 7 via the /usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules file which mandates that installation of packages can only be done, without authentication credentials, if the user is local," the post said. "On Red Hat Enterprise Linux 6, you must authenticate (even when working locally) to install packages. Previous versions of Red Hat Enterprise Linux (version 5 and earlier) do not use or provide PackageKit."

UPDATE 2: In a Friday email to SCMagazine.com, Alert Logic's Stephen Coty expounded on the firm's point that "grinch" is in fact a security issue.

“The issue here is that there is a way to open up the surface area to attacks,"  Coty wrote. "Red Hat has acknowledged that this behavior is intentional. However, intended behavior does not always mean the feature cannot be abused or shouldn't be modified in the future to eliminate potential misuse. If installing packages worked like every other operation, such as removing packages or adding repositories, and always asked for a password, then this wouldn't have the abuse potential we've identified. We are more than happy to work with the developers to improve this feature in the future," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.